APM Cookbook: Single Sign On (SSO) using Kerberos
To get the APM Cookbook series moving along, I’ve decided to help out by documenting the common APM solutions I help customers and partners with on a regular basis.
Kerberos SSO is nothing new, bu...
Published Apr 28, 2014
Version 1.0
Smithy
Cirrostratus
Cirrostratus
Martin_Kylian_1
Nimbostratus
NimbostratusHi Brett, thanks, I think I've done the AAA krb auth right.
Ending up with this
Oct 17 15:54:52 sok5-f5 err websso.3[23639]: 014d0026:3: /Common/pptest2:Common:61e5157b: Could not find SSO username, check SSO credential mapping agent setting
Oct 17 15:54:52 sok5-f5 debug websso.3[23639]: 014d0041:7: /Common/pptest2:Common:61e5157b: Could not find SSO domain, using default realm defined for Kerberos SSO object
Oct 17 15:54:52 sok5-f5 err websso.3[23639]: 014d0043:3: /Common/pptest2:Common:61e5157b: SSO username is empty - SSO is disabled
I can see the authenticated session. Variable session.logon.last.username by AAA is something like this user@KRB-REALM.ORG. Is the right thought that this should be mapped to be used by SSO (backend krb delegation) to defined variables (session.sso.token.last.username and session.ad.last.actualdomain in this scenario) by SSO credentail mapping? Can you advise me me how to achieve this?